A security gateway receives messages transmitted between a server and a client device on a network and parses the messages into a plurality of data objects, such as strings and name-value pairs. The data objects may represent user personal identification information, such as user name, social security number, credit card number, patient code, driver's license number, and other personal identification information. The security gateway uses rules to recognize data objects and validate the data objects to determine whether the recognized data objects are appropriately included within the context. The security gateway may also perform an action on the data objects. Data objects that are not appropriately included in the context may be transformed, suppressed or disallowed.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for transforming, by a security gateway, a message transmitted from a client to a server via the security gateway, the method comprising: receiving, by a security gateway executing on a device, a message from a client transmitted to a server via a session, the message comprising a first data object; identifying, by a rule engine of the security gateway, a type of the message corresponding to a type of language used in the message and identifying, a rule corresponding to the type of the message and that the message is a client message; recognizing, by the rule engine, that the first data object matches a pattern according to the rule; determining, by the rule engine, that the recognized first data object is not valid for the session according to the rule; modifying, by the security gateway according to the rule and in response to the determination, the message by one of disallowing, suppressing or transforming the first data object; and transmitting, by the security gateway, the modified message to the server.
2. The method of claim 1 , further comprising parsing, by a message parser, the message into the first data object prior to recognition by the rule engine.
3. The method of claim 1 , further comprising: receiving, by the security gateway, a second message from the client transmitted to the server via the session, the second message and comprising a second data object; identifying, by the rule engine, a second type of the second message and a second rule corresponding to the second type of the second message; recognizing, by the rule engine, that the second data object matches a pattern according to the second rule; determining, by the rule engine, that the recognized second data object is valid for the session according to the second rule; and transmitting, by the security gateway, the second message to the server.
4. The method of claim 3 , wherein the first data object comprises one of the following: a name-value pair, a string of characters or a string of numbers.
5. The method of claim 1 wherein the first data object comprises one of the following: a name of a person, a first number identifying the person from a plurality of persons, a second number identifying confidential information relating to the person.
6. The method of claim 1 , wherein the first data object comprises one or more of the following: a person's name, a social security number, a credit card number, a driver's license number or a patient code.
7. The method of claim 1 , wherein the security gateway is an intermediary between the client and the server, intercepting and forwarding messages between the client and the server.
8. The method of claim 1 , further comprising storing, by a session storage module, data objects recognized within the session.
9. The method of claim 1 , further comprising associating, by a session storage module, session related information with a session identifier corresponding to the rule of the rule engine.
10. The method of claim 1 , further comprising: deriving, by a sessionizer module, a session identifier from the message to uniquely identify the session within which the message originated.
11. The method of claim 1 , further comprising receiving, by the security gateway, a second message from the server transmitted to the client via the session, the second message comprising a plurality of data objects; identifying, by the security gateway, a second type of the second message; determining, by the rule engine, that a number of occurrences of credit card numbers within one or more data objects of the plurality of data objects exceeds a predetermined number; modifying, by the security gateway in response to the determination, one or more digits of a plurality of digits of a credit card number of the number of occurrences of credit card numbers; and transmitting, by the security gateway, the modified second message.
12. The method of claim 11 , further comprising: determining, by the rule engine, that a third data object of the third message comprises one of: a name of a patient or a social security number of a patient; and modifying, by the security gateway in response to the determination, the third message by suppressing a portion of the third message.
13. A security gateway for transforming a message transmitted from a client to a server, the security gateway comprising: a message parser, executing on a device, receiving a message from a client transmitted to a server via a session, the message comprising a first data object; a rule engine identifying a type of the message corresponding to a type of language used in the message and a rule corresponding to the type of the message and that the message is a client message; a recognizing module, recognizing that the first data object matches a pattern according to the rule; a validation module, determining that the recognized first data object is not valid for the session according to the rule; wherein the rule engine modifies, according to the rule and in response to the determination, the message by one of disallowing, suppressing or transforming the first data object, and the security gateway transmits the modified message to the server.
14. The security gateway of claim 13 , further comprising one or more of the following: a name recognizing module, an age recognizing module, a social security number recognizing module, a passport recognizing module and a regular expression recognizing module.
15. The security gateway of claim 13 , further comprising one or more of the following: a safe commerce validation module, a HIPAA validation module, or a safe password validation module.
16. The security gateway of claim 13 , wherein the message parser parses the message into one or more data objects prior to recognition by the recognizing module.
17. The security gateway of claim 13 , wherein the first data object comprises one or more of the following: a name-value pair, a string of characters or a string of numbers.
18. The security gateway of claim 13 , wherein the first data object comprises one of the following: a name of a person, a first number identifying the person from a plurality of persons, a second number identifying confidential information relating to the person.
19. The security gateway of claim 17 , wherein the first data object comprises one or more of the following: a person's name, a social security number, a credit card number, a driver's license number or a patient code.
20. The security gateway of claim 13 , wherein the security gateway is an intermediary between a client and a server, intercepting and forwarding messages between the client and the server.
21. The security gateway of claim 13 , further comprising a sessionizer module deriving a session identifier from the message uniquely identifying the session within which the message originated.
22. The security gateway of claim 21 , further comprising a session storage module associating session related information with a session identifier corresponding to the rule of the rule engine.
23. The security gateway of claim 13 , wherein: the message parser receives a second message from the server transmitted to the client via the session, the second message comprising a plurality of data objects; the rule engine identifies a second type of the second message; the recognizing module determines that a number of occurrences of credit card numbers within one or more of data objects of the plurality of data objects exceeds a predetermined number; the rule engine, in response to the determination, modifies one or more digits of a first credit card number of the number of occurrences of credit card numbers; and the security gateway transmits the modified second message.
24. The security gateway of claim 13 , wherein the rule engine determines that a third data object of the third message comprises one of a name of a patient or a social security number of a patient and in response to the determination modifies the third message by performing suppression of a portion of the third message.
25. A method for modifying a message transmitted between a client and a server via an intermediary device, the method comprising: receiving, by a device intermediary to a client and a server, a message between the client and the server via a session, the message comprising a first data object; determining, by a rule engine of the device, a message type corresponding to a type of language used in the message; identifying, a rule corresponding to the message type and whether the message is a client message or a server message, the rule comprising a recognizing component and a validation component; recognizing, by the rule engine using the recognizing component, that the first data object matches a pattern specified by the recognizing component of the rule; determining, by the rule engine using the validation component of the rule, that the recognized first data object is not valid for the session specified by the validation component of the rule; and modifying, by the device according to the rule and in response to the determination, the message by one of disallowing, suppressing or transforming the first data object.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 9, 2009
June 4, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.